How to use fw monitor

More documents

Recommendations

Info

Standard Usage Using fw monitor The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet from every interface that passes (or at least reaches) the enforcement module. Please note that the same packet is appearing several times (two times in the example below). This is caused by fw monitor capturing the packets at different capture points. Please refer to Capture masks for a more detailed explanation. [cpmodule]# fw monitor monitor: getting filter (from command line) monitor: compiling monitorfilter: Compiled OK. monitor: loading monitor: monitoring (control-C to stop) eth0:i[285]: 172.16.1.133 -> 172.16.1.2 (TCP) len=285 id=1075 TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc eth0:I[285]: 172.16.1.133 -> 172.16.1.2 (TCP) len=285 id=1075 TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc eth0:o[197]: 172.16.1.2 -> 172.16.1.133 (TCP) len=197 id=44599 TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83 eth0:O[197]: 172.16.1.2 -> 172.16.1.133 (TCP) len=197 id=44599 TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83 eth0:o[1500]: 172.16.1.2 -> 172.16.1.133 (TCP) len=1500 id=44600 TCP: 18190 -> 1050 ....A. seq=941b0659 ack=bf8bca83 ^C monitor: caught sig 2 monitor: unloading Figure 7: Invoking fw monitor without parameters Reading fw monitor output eth0:i[285]: 172.16.1.133 -> 172.16.1.2 (TCP) len=285 id=1075 Figure 8: Reading fw monitor output – first line This packet was captured on the first network interface (eth0) in inbound direction before the virtual machine (lowercase i; see Capture masks for a more detailed explanation). The packet length is 285 bytes (in square parenthesis; repeated at the end of the line. Please not that these two values may be different. Refer to the Virtual Defragmentation note for further information) and the packets ID is 1075. The packet was sent from 172.16.1.133 to 172.16.1.2 and carries a TCP header/payload. How to use fw monitor Page 12 of 70 Revision: 1.01
TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc Figure 9: Reading fw monitor output – second line The second line tells us that this is an TCP payload inside the IP packet which was sent from port 1050 to port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged sequence number (ack=941b05bc). You will see similar information for UDP packets. ! You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or can not be analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing. How does fw monitor work? In contrast to other capturing tools like snoop or tcpdump, fw monitor does not use the promiscuous mode on network interface cards. Based on the fact that FireWall-1 already receives all packets (due to the FireWall-1 kernel module between NIC driver and IP stack) fw monitor uses it’s own kernel module to capture packets (compared to filtering/encrypting them). Unlike snoop or tcpdump, fw monitor has the ability to capture packets at different positions (refer to Capture position for more information about the four locations) in the FireWall-1 kernel module chain. snoop and tcpdump are capturing packets when they enter or leave the computer. Especially when NAT with FireWall-1 is involved fw monitor offers the possibility to capture packets at multiple locations (e.g. after the FireWall Virtual in inbound direction). This can help you to see how the packets are translated by the firewall and on which IP address the routing decission is made. How to use fw monitor Page 13 of 70 Revision: 1.01
Page 1 and 2: How to use fw monitor 10-Jul-2003 A
Page 3 and 4: FW MONITOR ON FIREWALL-1 VSX ......
Page 5 and 6: Typographic Conventions used in thi
Page 7 and 8: Command syntax fw monitor [-u|s] [-
Page 9 and 10: Please use ^D (that is Control + D)
Page 11: Capture a specific number of packet
Page 15 and 16: By default fw monitor captures pack
Page 17 and 18: Limit the packet length fw monitor
Page 19 and 20: How to change the position of the f
Page 21 and 22: ! The virtual defragmentation may l
Page 23 and 24: Relative position using a Number Th
Page 25 and 26: Relative position using an Alias An
Page 27 and 28: Absolute position Although in most
Page 29 and 30: All positions A new option in NG wi
Page 31 and 32: 1 st Byte 2 nd Byte 3 rd Byte 4 th
Page 33 and 34: 0 8 16 24 32 header length TCP sour
Page 35 and 36: Logical and Relational Operators In
Page 37 and 38: src for example is defined as ip_sr
Page 39 and 40: Inspect fw monitor files The recomm
Page 41 and 42: ash-2.03# snoop -v -c 1 -i fwmonito
Page 43 and 44: Using Ethereal to inspect fw monito
Page 45 and 46: The pane in the middle shows protoc
Page 47 and 48: Ethereal fw monitor additions Alfre
Page 49 and 50: Activate the FW-1 chain column The
Page 51 and 52: Using display and color filters on
Page 53 and 54: Other useful expressions are: Field
Page 55 and 56: Using CPEthereal to inspect fw moni
Page 57 and 58: NAT Highlighting Following a connec
Page 59 and 60: Because some problems (missing at
Page 61 and 62: Block Filters Block filters allow y
Page 63 and 64:
A new feature in NG with Applicatio
Page 65 and 66:
fw monitor on FireWall-1 VSX If you
Page 67 and 68:
Detecting sniffers on your network
Page 69 and 70:
Reference Multicast MAC addresses S
show all

How to use fw monitor

Create successful ePaper yourself

Delete template?

Save as template?